Lack of Transparency in Public Cloud

Discussing with industry colleagues the other day, I got challenged when I pointed out cloud services were lacking transparency. I actually realized that my statement was probably too broad as private clouds remain under the responsibility of their owners. So let me restate this a little more clearly, focusing on public cloud services, and let me describe what I mean.

Beyond IaaS, cloud services often require a “supply chain” to deliver the service. Indeed, the company advertising a service may rely on other companies to provide the infrastructure, some service functionality included in the service etc. To quote a well published example, Apple ‘s I-Cloud seems to use Amazon and Microsoft Azure services. How do we know that, because some curious journalist investigated the web addresses used when accessing the I-Cloud service.

When, last April, Amazon EC2 went down, people tracked the companies that got problems. The list can be found here. I did not check them all, but none of the ones I checked have any mention they run on Amazon EC2.

This is the tip of the iceberg, the facts we can trace. But this means in practice there is NO way at the moment to know who is actually participating in the delivery of a public cloud service. There is no obligation of transparency in the delivery.

You remember, a couple years ago, the T-Mobile/Microsoft/Danger data loss? It may not have been a cloud computing issue, but rather a failure to follow standard IT processes. But frankly, this does not matter. It demonstrates that the service is as well managed and secured as its weakest link. The issue? We have no way to assess that weakest link as we have no visibility in who is participating in the delivery of the service.

And I could continue this way. Now, you will tell me these are services developed for consumers, not for enterprises. And as 90+% of services are developed for consumers and SMB’s you are probably right. However, the boundaries are blurring between consumers and enterprises for two reasons. The first is that business people, not receiving appropriate service from their IT department, increasingly use external services (including facebook, dropbox, yousendit etc.) We call this “shadow IT”.

The second is that a new generation, known as the millennial generation, enters the workforce. They are very familiar with IT and use it all the time to stay connected with friends and family. They expect the same in their work environment and do not understand why they need to use other tools for work than for private life.

On top of that an increasing amount of “free” services, originally developed for consumers, are moving up the stack, delivering “premium” services to businesses. Both often run on the same platform and use the same environments.

But what are the dangers of this lack of transparency. In my mind they are twofold. On the one hand, we have no visibility of the processes and procedures used by the players in the service supply chain. So, for example, what are the levels of security guaranteed by each of the partners? But also what are the guarantees at the integration points between the partners. How are duties distributed, and are all aspects addressed?

I understand from talking to some lawyers of American IT companies the Patriot Act may in essence not be that different from criminal legislation in other parts of the world, but as pointed out by ZDNet in their series on the subject, it is, in my knowledge, the only legislation that applies outside the boundaries of the initiating country without interaction with country jurisdiction. At the moment no Patriot Act related case has been brought in front of justice, so no case law has been established yet.

So, how could we address these issues and provide the user of services with the appropriate information to allow him/her to decide what service to use with a full understanding of the implications.

I would make following suggestions:

At the minimum, obligation to include in the description of the service, the name of all players in the service supply chain

Ideally, provide the user with an objective assessment of the quality of the processes and procedures established for delivering the service. This should include security, redundancy, disaster recovery and data location at least. This could be done through formal certification, through a categorization of levels (eg. Star system) or any other appropriate mean. The objective is to allow the user to quickly and easily understand what he/she is actually getting.

As far as the Patriot Act is concerned, I would also urge the European Union to make a clear statement as how enterprises can be compliant with both the EU Privacy Laws and the Patriot Act. There is a feeling of uncertainty in the market at the moment and that does not help the business.

Christian, as always you are dead on. My concern is that we're talking about 'transparency' on different levels. I've been hearing information security folks talk about transparency in a different way - that of 'auditability' of the 3rd party's actions. So in other words, as the consumer I need transparency from my vendor to see what actions they are taking on my environment, who performs those actions, and when ...to help me determine how compliant and auditable I am; and to give me, the customer, assurance that I've got a sane enviornment. Brilliant, thought-provoking piece of writing, I'll see you in Vienna and we can talk more on this topic for the podcast!

Hi, Christian, thanks for sharing, service transparency is the quality the cloud vendors should deliver, especially now the whole cloud eco-system is growing bigger and more complex, it's also part of GRC strategy the IT and vendors should work on the same page for the more trusted partner relationship, thanks

The problem with many cloud management solutions is that they take a narrow perspective on what is needed to manage and build a cloud. The focus is too much on X86 virtual environments. Learn how the HP CloudSystem manages a broad spectrum of virtual and physical environments and provides cloud capabilities like infrastructure provisioning, and application provisioning and management.Sponsored by: HP

According to market research, 59 percent of enterprises are still identifying IT operations that are candidates for cloud hosting. Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources in this HP & Intel® Cloud Knowledge Vault. Your one-stop for cloud computing gives advice and tips on the best strategy for moving to the cloud, how to determine which cloud is best for your organization, how to overcome cloud security challenges, and more.

Provided by HP AND INTEL®
Data center technology is evolving at an unprecedented pace. You can’t say the same for infrastructure management tools. They’re stuck in the past, and that’s a problem. You can’t compete at today’s speed and scale with yesterday’s management approaches. You’re caught in an IT gap—between rising business demands and the limitations of aging tools.
This white paper sponsored by HP and Intel® explains what is fueling the growing gap between enterprise demand and the IT supply; and how your organization can close that gap.Intel® and the Intel® logo are...

Provided by HP AND INTEL®Imagine a future where applications become the source of competitive advantage for businesses in most industries. Software can augment products and services and automate workflows, as enterprises innovate to deliver more engaging experiences to mobile users. Those who can conquer information to gauge real-time sentiment and gain insight into customer location and context will further differentiate competitive offerings. But if you're thinking this trend is only about apps and information, think again. The data center of 2020 will underpin every one of these...

In 2014, 55% of hardware decision-makers from North American and European enterprises plan to prioritize building an internal private cloud, and 33% have already adopted private cloud. But which private cloud solution vendors are the best? This Forrester Wave report reveals the top vendors in this field based on a 61-criteria evaluation. Discover where each vendor stands out to help I & O professionals select the most full-featured private cloud solution.Sponsored by: HP

IT organizations around the globe are in search of technological solutions that address their increasingly complex business challenges. Many of these challenges have emanated from the demand for instant gratification from highly mobile, interactive, and always-connected consumers and users. This paper reveals how HP CloudSystem Enterprise is the answer for organizations in search of a complete, open, and integrated solution that supports this hybrid IT delivery strategy. Read on to learn about the HP CloudSystem Enterprise architecture and how its key components work together.Sponsored...

In its 61-criteria evaluation of private cloud solution vendors, Forrester identified the 10 most significant software providers — ASG Software Solutions, BMC Software, CA Technologies, Cisco Systems, Citrix Systems, Eucalyptus Systems, HP, IBM, Microsoft, and VMware — in the category and researched, analyzed, and scored them. This report details Forrester’s findings about how well each vendor fulfills the readth and depth of its criteria and where each stands out to help infrastructure and operations (I&O) professionals select the most full-featured private cloud solution. I&O pros...

Once you sift through the hype and buzz surrounding cloud computing, it becomes clear that the cloud offers real, tangible benefits. Embracing cloud where it makes sense for your business can accelerate your time to revenue and reduce your costs. But embracing cloud means cutting through the hype to find real solutions.